From 4a09e96e470c1b5efd304cd28be847ad0b3a8320 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 23 Feb 2010 20:32:08 +0000 Subject: [PATCH] - Removed dependancy for dnssec-conf - Added ISC DLV key (formerly in dnssec-conf) - Fixup old DLV locations in unbound.conf file via %post --- dlv.isc.org.key | 2 + unbound-lame-r1953.patch | 348 +++++++++++++++++++++++++++++++++++++++ unbound.conf | 13 +- unbound.spec | 40 +++-- 4 files changed, 371 insertions(+), 32 deletions(-) create mode 100644 dlv.isc.org.key create mode 100644 unbound-lame-r1953.patch diff --git a/dlv.isc.org.key b/dlv.isc.org.key new file mode 100644 index 0000000..c73944f --- /dev/null +++ b/dlv.isc.org.key @@ -0,0 +1,2 @@ +; https://secure.isc.org/ops/dlv/dlv.isc.org.key +dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh diff --git a/unbound-lame-r1953.patch b/unbound-lame-r1953.patch new file mode 100644 index 0000000..7f7d99e --- /dev/null +++ b/unbound-lame-r1953.patch @@ -0,0 +1,348 @@ +Index: iterator/iter_delegpt.c +=================================================================== +--- iterator/iter_delegpt.c (revision 1952) ++++ iterator/iter_delegpt.c (revision 1953) +@@ -154,11 +154,13 @@ + /* ignore it */ + return 1; + } +- if(addr_is_ip6(addr, addrlen)) +- ns->got6 = 1; +- else ns->got4 = 1; +- if(ns->got4 && ns->got6) +- ns->resolved = 1; ++ if(!lame) { ++ if(addr_is_ip6(addr, addrlen)) ++ ns->got6 = 1; ++ else ns->got4 = 1; ++ if(ns->got4 && ns->got6) ++ ns->resolved = 1; ++ } + return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, nodup); + } + +@@ -254,10 +256,11 @@ + (dp->bogus?" BOGUS":"") ); + } + for(a = dp->target_list; a; a = a->next_target) { +- if(a->bogus) +- log_addr(VERB_ALGO, " BOGUS ", +- &a->addr, a->addrlen); +- else log_addr(VERB_ALGO, " ", &a->addr, a->addrlen); ++ const char* str = " "; ++ if(a->bogus && a->lame) str = " BOGUS ADDR_LAME "; ++ else if(a->bogus) str = " BOGUS "; ++ else if(a->lame) str = " ADDR_LAME "; ++ log_addr(VERB_ALGO, str, &a->addr, a->addrlen); + } + } + } +@@ -448,3 +451,13 @@ + } + } + } ++ ++void delegpt_no_ipv6(struct delegpt* dp) ++{ ++ struct delegpt_ns* ns; ++ for(ns = dp->nslist; ns; ns = ns->next) { ++ /* no ipv6, so only ipv4 is enough to resolve a nameserver */ ++ if(ns->got4) ++ ns->resolved = 1; ++ } ++} +Index: iterator/iter_delegpt.h +=================================================================== +--- iterator/iter_delegpt.h (revision 1952) ++++ iterator/iter_delegpt.h (revision 1953) +@@ -314,4 +314,11 @@ + */ + void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg); + ++/** ++ * Register the fact that there is no ipv6 and thus AAAAs are not going ++ * to be queried for or be useful. ++ * @param dp: the delegation point. Updated to reflect no ipv6. ++ */ ++void delegpt_no_ipv6(struct delegpt* dp); ++ + #endif /* ITERATOR_ITER_DELEGPT_H */ +Index: iterator/iterator.c +=================================================================== +--- iterator/iterator.c (revision 1952) ++++ iterator/iterator.c (revision 1953) +@@ -1305,6 +1305,8 @@ + verbose(VERB_QUERY, "Failed to get a delegation, giving up"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } ++ if(!ie->supports_ipv6) ++ delegpt_no_ipv6(iq->dp); + delegpt_log(VERB_ALGO, iq->dp); + + if(iq->num_current_queries>0) { +Index: doc/Changelog +=================================================================== +--- doc/Changelog (revision 1952) ++++ doc/Changelog (revision 1953) +@@ -1,3 +1,11 @@ ++8 January 2010: Wouter ++ - Fix for parent-child disagreement code which could have trouble ++ when (a) ipv6 was disabled and (b) the TTL for parent and child ++ were different. There were two bugs, the parent-side information ++ is fixed to no longer block lookup of child side information and ++ the iterator is fixed to no longer attempt to get ipv6 when it is ++ not enabled and then give up in failure. ++ + 7 January 2010: Wouter + - Fixup python documentation (thanks Leo Vandewoestijne). + - Work on cache prefetch feature. +Index: testdata/iter_pcttl.rpl +=================================================================== +--- testdata/iter_pcttl.rpl (revision 0) ++++ testdata/iter_pcttl.rpl (revision 1953) +@@ -0,0 +1,245 @@ ++; config options ++server: ++ target-fetch-policy: "0 0 0 0 0" ++ do-ip6: no ++ ++stub-zone: ++ name: "." ++ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. ++CONFIG_END ++ ++SCENARIO_BEGIN Test cache ttls where parent child differ in ttl ++; and the lameness for parent suddenly becomes the only information point. ++ ++; K.ROOT-SERVERS.NET. ++RANGE_BEGIN 0 100 ++ ADDRESS 193.0.14.129 ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR NOERROR ++SECTION QUESTION ++. IN NS ++SECTION ANSWER ++. IN NS K.ROOT-SERVERS.NET. ++SECTION ADDITIONAL ++K.ROOT-SERVERS.NET. IN A 193.0.14.129 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++com. IN NS ++SECTION AUTHORITY ++com. IN NS a.gtld-servers.net. ++SECTION ADDITIONAL ++a.gtld-servers.net. IN A 192.5.6.30 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++net. IN NS ++SECTION AUTHORITY ++net. IN NS e.gtld-servers.net. ++SECTION ADDITIONAL ++e.gtld-servers.net. IN A 192.12.94.30 ++ENTRY_END ++ ++RANGE_END ++ ++; a.gtld-servers.net. ++RANGE_BEGIN 0 100 ++ ADDRESS 192.5.6.30 ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR NOERROR ++SECTION QUESTION ++com. IN NS ++SECTION ANSWER ++com. IN NS a.gtld-servers.net. ++SECTION ADDITIONAL ++a.gtld-servers.net. IN A 192.5.6.30 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++example.com. IN NS ++SECTION AUTHORITY ++example.com. IN NS ns.foo.com. ++SECTION ADDITIONAL ++;ns.foo.com. 200 IN A 1.2.3.44 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++foo.com. IN NS ++SECTION AUTHORITY ++foo.com. 200 IN NS ns.foo.com. ++SECTION ADDITIONAL ++ns.foo.com. 200 IN A 1.2.3.44 ++ENTRY_END ++ ++RANGE_END ++ ++; e.gtld-servers.net. ++RANGE_BEGIN 0 100 ++ ADDRESS 192.12.94.30 ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR NOERROR ++SECTION QUESTION ++net. IN NS ++SECTION ANSWER ++net. IN NS e.gtld-servers.net. ++SECTION ADDITIONAL ++e.gtld-servers.net. IN A 192.12.94.30 ++ENTRY_END ++ ++RANGE_END ++ ++; ns.foo.com. ++; The parent-IP version ++RANGE_BEGIN 0 100 ++ ADDRESS 1.2.3.44 ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY AA QR NOERROR ++SECTION QUESTION ++foo.com. IN NS ++SECTION ANSWER ++foo.com. 200 IN NS ns.foo.com. ++SECTION ADDITIONAL ++ns.foo.com. 100 IN A 1.2.3.44 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY AA QR NOERROR ++SECTION QUESTION ++ns.foo.com. IN A ++SECTION ANSWER ++ns.foo.com. 100 IN A 1.2.3.44 ++SECTION AUTHORITY ++foo.com. 200 IN NS ns.foo.com. ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY AA QR NOERROR ++SECTION QUESTION ++ns.foo.com. IN AAAA ++SECTION AUTHORITY ++foo.com. 100 IN SOA . . 1 2 3 4 5 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY AA QR NOERROR ++SECTION QUESTION ++example.com. IN NS ++SECTION ANSWER ++example.com. 200 IN NS ns.foo.com. ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY AA QR NOERROR ++SECTION QUESTION ++www.example.com. IN A ++SECTION ANSWER ++www.example.com. 100 IN A 10.20.30.40 ++SECTION AUTHORITY ++example.com. 200 IN NS ns.foo.com. ++SECTION ADDITIONAL ++ns.foo.com 100 IN A 1.2.3.44 ++ENTRY_END ++RANGE_END ++ ++; NOT USED. The parent side equals child side but not in the cache. ++; and they have different TTLs only. ++; ns.foo.com ++; The child IP version. Does not respond to anything (servfail instead ++; of timeouts since this is easier to encode in .rpl file format). ++RANGE_BEGIN 0 100 ++ ADDRESS 1.2.3.55 ++ENTRY_BEGIN ++MATCH opcode ++ADJUST copy_id copy_query ++REPLY QR SERVFAIL ++SECTION QUESTION ++foo.com. IN NS ++SECTION ANSWER ++ENTRY_END ++ ++RANGE_END ++ ++STEP 1 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++www.example.com. IN A ++ENTRY_END ++ ++; recursion happens here. ++STEP 20 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++www.example.com. IN A ++SECTION ANSWER ++www.example.com. 100 IN A 10.20.30.40 ++SECTION AUTHORITY ++example.com. 100 IN NS ns.foo.com. ++; scrubbed off ++;SECTION ADDITIONAL ++;ns.foo.com IN A 1.2.3.44 ++ENTRY_END ++ ++; Now we wait 101 seconds, and the child data is gone, ++; but the parent-side was cached for 200 and it still there. ++ ++STEP 30 TIME_PASSES ELAPSE 101 ++ ++STEP 40 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++www.example.com. IN A ++ENTRY_END ++ ++; recursion happens here. ++STEP 50 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++www.example.com. IN A ++SECTION ANSWER ++www.example.com. 100 IN A 10.20.30.40 ++SECTION AUTHORITY ++example.com. 100 IN NS ns.foo.com. ++; scrubbed off ++;SECTION ADDITIONAL ++;ns.foo.com IN A 1.2.3.44 ++ENTRY_END ++ ++SCENARIO_END diff --git a/unbound.conf b/unbound.conf index 28998c1..6109f5b 100644 --- a/unbound.conf +++ b/unbound.conf @@ -10,15 +10,6 @@ server: # whitespace is not necessary, but looks cleaner. - # To enable DNSSEC trust anchors, install the dnssec-keys package and - # uncomment the line below, or run dnssec-configure -h for more options - # trusted-keys-file: "/etc/pki/dnssec/production.conf" - - # To enable DLV trust anchor with DLV, install the dnssec-keys package - # and uncomment the line below, or run dnssec-configure -h for more - # options - # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv/dlv.isc.org.key" - # verbosity number, 0 is least verbose. 1 is default. verbosity: 1 @@ -300,8 +291,8 @@ server: # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. - # Download https://secure.isc.org/ops/dlv/dlv.isc.org.key - # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv.isc.org.key" + # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key + dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. diff --git a/unbound.spec b/unbound.spec index bb5ee64..1251f0e 100644 --- a/unbound.spec +++ b/unbound.spec @@ -9,18 +9,15 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.4.1 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz Source1: unbound.init Source2: unbound.conf Source3: unbound.munin -# See the unbound svn repository for further documentation on these -#Patch1: unbound-r1657.patch -#Patch2: unbound-r1670.patch -#Patch3: unbound-r1677.patch -Patch4: unbound-1.2-glob.patch +Source4: dlv.isc.org.key +Patch1: unbound-1.2-glob.patch Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -34,9 +31,8 @@ Requires(post): chkconfig Requires(preun): chkconfig Requires(preun): initscripts Requires(postun): initscripts -Requires: ldns >= 1.5.0, dnssec-conf >= 1.19 +Requires: ldns >= 1.5.0 Requires(pre): shadow-utils -Requires: dnssec-conf %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -88,10 +84,7 @@ Python modules and extensions for unbound %prep %setup -q -#%patch1 -#%patch2 -#%patch3 -%patch4 -p1 +%patch1 -p1 %build %configure --with-ldns= --with-libevent --with-pthreads --with-ssl \ @@ -119,6 +112,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin done +# install DLV key +install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/unbound/ + # remove static library from install (fedora packaging guidelines) rm -rf %{buildroot}%{_libdir}/*.la @@ -134,6 +130,7 @@ rm -rf ${RPM_BUILD_ROOT} %attr(0755,root,root) %dir %{_sysconfdir}/%{name} %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key %{_sbindir}/* %{_mandir}/*/* @@ -167,15 +164,11 @@ exit 0 %post /sbin/chkconfig --add %{name} -# Check DNSSEC settings if this is a fresh install -if [ "$1" -eq 1 ]; then - if [ -r /etc/sysconfig/dnssec ]; then - . /etc/sysconfig/dnssec - [ -x /usr/sbin/dnssec-configure ] && \ - dnssec-configure -u --norestart --nocheck --dnssec="$DNSSEC" --dlv="$DLV" > \ - /dev/null 2>&1 - fi; -fi +# dnssec-conf used to contain our DLV key, but now we include it via unbound +# If unbound had previously been configured with dnssec-configure, we need +# to migrate the location of the DLV key file (to keep DLV enabled, and because +# unbound won't start with a bad location for a DLV key file. +sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf %post libs -p /sbin/ldconfig @@ -193,6 +186,11 @@ fi %postun libs -p /sbin/ldconfig %changelog +* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 +- Removed dependancy for dnssec-conf +- Added ISC DLV key (formerly in dnssec-conf) +- Fixup old DLV locations in unbound.conf file via %%post + * Tue Jan 05 2010 Paul Wouters - 1.4.1-1 - Updated to 1.4.1 - Changed %%define to %%global